Security
⏱ ~4-min readAceMark GuideWhat this topic is really about
Security groups act as stateful virtual firewalls attached to EC2 instances, allowing you to permit specific inbound ports and source IP ranges while automatically allowing return traffic. Network ACLs are stateless and operate at the subnet level, often used for broader controls, so they are not the primary mechanism for per‑instance port filtering. IAM roles govern API permissions, and VPC peering merely links VPCs, not traffic restrictions.
An IAM policy that includes a Condition element checking "aws:MultiFactorAuthPresent" forces users to authenticate with MFA before they can access AWS services. This policy can be attached to all users or groups, ensuring consistent enforcement across the account. IAM Password Policies only govern password complexity and expiration, not MFA requirements.
See the mechanism
Security groups act as stateful virtual firewalls attached to EC2 instances, allowing you to permit specific inbound ports and source IP ranges while automatically allowing return traffic. A diagram for this topic isn't available yet — the worked example below walks the same reasoning step by step.
An exam-style question, fully explained
To restrict EC2 traffic to specific ports and source IPs, use:
- Identify what the question tests: To restrict EC2 traffic to specific ports and source IPs, use:.
- Security groups act as stateful virtual firewalls attached to EC2 instances, allowing you to permit specific inbound ports and source IP ranges while automatically allowing return traffic.
- Network ACLs are stateless and operate at the subnet level, often used for broader controls, so they are not the primary mechanism for per‑instance port filtering.
- IAM roles govern API permissions, and VPC peering merely links VPCs, not traffic restrictions.
Traps the examiner sets
- Network ACLs are stateless and operate at the subnet level, often used for broader controls, so they are not the primary mechanism for per‑instance port filtering.
- In contrast, security groups control network traffic at the instance level and do not grant API authorization.
- Keys with imported key material do not support automatic rotation.
Test your recall
Answer each from memory — you'll see instantly whether you're right and why.
Run a focused 10-question mini-mock on Security and see it stick.
Practice more of this topic →